SAML terminology
General terminology
Single Sign-On (SSO)
Single Sign-On (SSO) is the process of signing in to multiple services using a single set of credentials (as opposed to having separate credentials for different services). Using SSO, you can sign in to your identity provider and access all the configured services without having to sign in to them separately.
Learn more about Single Sign-On.
SAML
Secure Assertion Markup Language (SAML) is a protocol which is used to implement Single Sign-On (SSO). It is an XML based protocol which the identity provider and the service provider use to communicate.
Learn more about SAML-based SSO.
XML
eXtensible Markup Language (XML) is the language through which communication happens between identity provider and service provider in SAML-based SSO.
Learn more about XML.
Authentication
Authentication is the process of verifying a user's identity when the user tries to sign in. In basic authentication, the user will enter their username and password to their service provider (SP), and the SP will grant access to the user.
In SAML authentication, when the user tries to sign in, the identity provider (IdP) authenticates the user (by verifying their credentials) and sends the authentication response to the service provider (SP). The SP, after getting the response from the IdP, provides access to the user.
Single Logout (SLO)
Single Logout (SLO) is the process of simultaneously signing users out of all the apps they have signed in to using their identity provider (IdP). With SLO enabled, when a user signs out of Zoho, they will be signed out of the IdP as well. Similarly, when a user signs out of the IdP, they will be signed out of Zoho as well. For SLO to work, it must be supported by the IdP.
Top-Level Domain (TLD)
The Top-Level Domain (TLD) denotes the last part of your Zoho account URL. If your account URL is
https://accounts.zylker.com, then your TLD would be
.com. When it comes to Zoho, there are two types of TLDs:
generic TLD (gTLD) and
country code TLD (ccTLD). If you organization's data is stored in the US datacenter, you will have the gTLD
.com. If your organization's data is stored in your region-specific datacenter, you will have a ccTLD such as
.com.cn,
.in,
.com.au, or
.eu.
Identity provider terminology
Identity Provider (IdP)
An identity provider (IdP) maintains a directory of user credentials. When a user wants to access a service (in this case–Zoho), the IdP verifies the user's identity and sends the authentication information to the service provider.
Example: Okta, Microsoft Entra ID, Google Cloud Identity
Sign-In URL
A Sign-In URL is the IdP URL where the user will be redirected for authentication when they try to sign in from Zoho directly. It may also be called a Login URL in your IdP.
Sign-Out URL
A Sign-Out URL is the IdP URL where the sign out request will be sent when the user signs out from Zoho. It may also be called a Logout URL in your IdP. This URL can facilitate
Single Logout (SLO).
Change Password URL
The Change Password URL is the IdP URL where users will be redirected when they try to reset their Zoho password.
X.509 Certificate and Public Key
The X.509 certificate contains the public key used to verify whether the SAML response really comes from the IdP when the users try to sign in to the service provider (e.g., Zoho).
The certificate will be in the following format:
-----BEGIN CERTIFICATE-----
<
Public Key>
-----END CERTIFICATE-------
When configuring SAML in Zoho, you can either upload the X.509 Certificate directly or just copy the contents and paste it in the X.509 Certificate field.
Note: We accept only the following certificate formats: based-64 coded .cer, .crt, .cert, or .pem file. Make sure to upload the certificate in one of these formats.
IdP Metadata
The IdP Metadata is an XML file which contains information such as the Sign-in URL, Sign-out URL, and the X.509 certificate.
Service provider terminology
Service Provider (SP)
A service provider (SP) is a website that hosts services or applications for users. It relies on the IdP to authenticate a user and provide access to them. In this case, Zoho is the service provider.
SP Metadata
The SP Metadata is an XML file which contains the SP Entity ID and ACS URL. You can download this file after configuring SAML in Zoho.
SP Entity ID (Issuer URL/ Identifier)
This is a unique identifier for the service provider (e.g., Zoho). It will vary based on your DC and can be found in the SP metadata file under the tag <md:EntityDescriptor>.
ACS URL (Reply URL/ Single Sign-On URL)
The Assertion Consumer Service (ACS) URL is the Zoho destination URL where the SAML response must be sent by the IdP after authenticating the user. You can find it in the metadata file under the tag <md:AssertionConsumerService>. The last (numeric) part of the ACS URL is your Zoho Organization ID (ZOID).
Note: Zoho only supports email address Name ID format, as specified in the metadata file "urn:oasis:names:tc:SAML:1.1:
nameid-format:emailAddress" .
Relay State URL and Zoho Service
When your users access Zoho from the IdP (i.e., in an IdP-initiated flow), they will be redirected to the relay state URL. With this, you can redirect users to a specific Zoho Service when they sign in. For example, if you set Cliq as the Zoho Service, your users will be redirected to Cliq when they sign in.
You can simply select the required service when configuring SAML in Zoho Accounts. See Step 6 in
Configure SAML in Zoho Accounts.
However, if your IdP wants you to specify the relay state URL when configuring SAML, you can enter it in the following format:
https://{
zoho service name}.zoho.{
your top-level domain}
Example:
https://cliq.zoho.com
Sign Out Response (Single Logout)
Sign out response is used to enable Single Logout (SLO) for your organization users. There are two types of Single Logout:
- SP-initiated SLO: When users sign out from Zoho, they will be automatically signed out of the IdP as well.
- IdP-initiated SLO: When users sign out from the IdP, they will be automatically signed out of Zoho as well.
For SLO to work, it must be supported by the IdP. Some IdP's support only one of these, some support both, and some support none. For the IdPs that are supported, the steps to enable single logout are mentioned in the
respective SAML help articles.
To enable single logout, you need to:
- Select the option Do you need a sign-out response? while configuring SAML in Zoho.
- Provide your IdP's sign-out URL in Zoho while configuring SAML.
- Provide the Zoho's sign-out URL in your IdP. Zoho's sign-out URL can be found in the metadata file under the tag <md:SingleLogoutService>.
Just in Time Provisioning
Just in Time (JIT) provisioning allows your users to get added to your Zoho organization when they sign in to Zoho for the first time through SAML. They will be added after validating the SAML response and their domain. If JIT is not enabled, you have to manually add your users to your Zoho organization before they can sign in with SSO.
Using JIT, you can also fetch and autofill some user information fields in Zoho (from the IdP). To do that, map the following Zoho user information fields with the corresponding ones from your IdP when you enable JIT:
- First Name
- Last Name
- Display Name
Related articles
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Zoho DataPrep Resources
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Configure SAML in Zoho Accounts
Note: If you want to configure SAML for Zoho One/ Zoho Directory, you can refer to their respective help documents: Zoho One | Zoho Directory To create a SAML connection between Zoho and your identity provider (IdP), you will need to provide some ...Accessing Zoho via Microsoft Entra ID using SAML
By configuring SAML based SSO with Microsoft Entra ID, you can let your users sign in to Zoho using their Entra ID credentials. Required items from Microsoft Entra ID You will need the following items from Microsoft Entra ID to configure SAML in ...Accessing Zoho via Google using SAML
You can use Google as an identity provider (IdP) to access Zoho applications. Google IdP is a user management platform for Google Apps and services. Required items from Google You will need the following items from Google to configure SAML in Zoho. ...Troubleshoot SAML related errors
Error Message Reason Solution Your organization has configured SAML authentication, please sign in via SAML credentials You cannot sign in to your Zoho account via any linked account, if your organization has mandated you to sign in only through SAML ...Sign in using SAML
SAML is a protocol that allows you to configure single sign-on (SSO) for Zoho with your identity provider (IdP). Once SAML-based SSO is configured for an organization, all the organization users can directly sign in to Zoho using their IdP ...
New to Zoho LandingPage?
Zoho LandingPage Resources